Sync Fork from Upstream Repo

.azure-pipelines/windows.yml

@@ -0,0 +1,21 @@
+# Azure Pipelines
+# TODO(lizan): Consider rolling all presubmit jobs into one file.
+trigger:
+- master
+
+jobs:
+- job: Windows
+  timeoutInMinutes: 360
+  pool:
+    vmImage: 'windows-latest'
+
+  steps:
+  - powershell: |
+      .\ci\windows_ci_setup.ps1
+      Write-Host "##vso[task.prependpath]$env:TOOLS_BIN_DIR"
+    displayName: 'Install dependencies'
+    env:
+      TOOLS_BIN_DIR: $(Pipeline.Workspace)\bin
+
+  - powershell: .\ci\windows_ci_steps.ps1
+    displayName: 'Run Windows CI'

.circleci/config.yml

@@ -64,6 +64,7 @@ jobs:
            fingerprints:
              - "fb:f3:fe:be:1c:b2:ec:b6:25:f9:7b:a6:87:54:02:8c"
        - run: ci/api_mirror.sh
+       - run: ci/go_mirror.sh
        - store_artifacts:
            path: /build/envoy/generated
            destination: /

CODEOWNERS

@@ -57,3 +57,5 @@ extensions/filters/common/original_src @snowp @klarose
 /*/extensions/filters/common/expr @kyessenov @yangminzhu
 # webassembly common extension
 /*/extensions/common/wasm @jplevyak @PiotrSikora
+# common crypto extension
+/*/extensions/common/crypto @lizan @PiotrSikora @bdecoste

api/STYLE.md

@@ -47,9 +47,8 @@ In addition, the following conventions should be followed:
 
 * Protos for configs and services that are not implemented immediately in
   Envoy, or are under active design and development should be versioned
-  "v2alpha". If several iterations of the alpha API are expected, then versions
-  "v2alpha1", "v2alpha2", and so on are preferred. Alpha-versioned protos are
-  considered experimental and are not required to preserve compatibility.
+  "vNalpha". See the [stable API versioning
+  policy](https://github.com/envoyproxy/envoy/issues/6271).
 
 * Every proto directory should have a `README.md` describing its content. See
   for example [envoy.service](envoy/service/README.md).

api/bazel/api_build_system.bzl

@@ -2,12 +2,14 @@ load("@com_google_protobuf//:protobuf.bzl", _py_proto_library = "py_proto_librar
 load("@com_envoyproxy_protoc_gen_validate//bazel:pgv_proto_library.bzl", "pgv_cc_proto_library")
 load("@io_bazel_rules_go//proto:def.bzl", "go_grpc_library", "go_proto_library")
 load("@io_bazel_rules_go//go:def.bzl", "go_test")
+load("@com_github_grpc_grpc//bazel:cc_grpc_library.bzl", "cc_grpc_library")
 
 _PY_SUFFIX = "_py"
 _CC_SUFFIX = "_cc"
+_CC_GRPC_SUFFIX = "_cc_grpc"
 _CC_EXPORT_SUFFIX = "_export_cc"
 _GO_PROTO_SUFFIX = "_go_proto"
-_GO_IMPORTPATH_PREFIX = "github.com/envoyproxy/data-plane-api/api/"
+_GO_IMPORTPATH_PREFIX = "github.com/envoyproxy/go-control-plane/"
 
 _COMMON_PROTO_DEPS = [
     "@com_google_protobuf//:any_proto",
@@ -32,12 +34,10 @@ def _LibrarySuffix(library_name, suffix):
         library_name += ":" + Label(library_name).name
     return _Suffix(library_name, suffix)
 
-# TODO(htuch): has_services is currently ignored but will in future support
-# gRPC stub generation.
 # TODO(htuch): Convert this to native py_proto_library once
 # https://github.com/bazelbuild/bazel/issues/3935 and/or
 # https://github.com/bazelbuild/bazel/issues/2626 are resolved.
-def api_py_proto_library(name, srcs = [], deps = [], external_py_proto_deps = [], has_services = 0):
+def api_py_proto_library(name, srcs = [], deps = [], external_py_proto_deps = []):
     _py_proto_library(
         name = _Suffix(name, _PY_SUFFIX),
         srcs = srcs,
@@ -73,6 +73,23 @@ def py_proto_library(name, deps = []):
         visibility = ["//visibility:public"],
     )
 
+def _api_cc_grpc_library(name, proto, deps = []):
+    cc_grpc_library(
+        name = name,
+        srcs = [proto],
+        deps = deps,
+        proto_only = False,
+        grpc_only = True,
+        visibility = ["//visibility:public"],
+    )
+
+def _ToCanonicalLabel(label):
+    # //my/app and //my/app:app are the same label. In places we mutate the incoming label adding different suffixes
+    # in order to generate multiple targets in a single rule. //my/app:app_grpc_cc.
+    # Skylark formatters and linters prefer the shorthand label whilst we need the latter.
+    rel = Label("//" + native.package_name()).relative(label)
+    return "//" + rel.package + ":" + rel.name
+
 # This is api_proto_library plus some logic internal to //envoy/api.
 def api_proto_library_internal(visibility = ["//visibility:private"], **kwargs):
     # //envoy/docs/build.sh needs visibility in order to generate documents.
@@ -83,41 +100,50 @@ def api_proto_library_internal(visibility = ["//visibility:private"], **kwargs):
 
     api_proto_library(visibility = visibility, **kwargs)
 
-# TODO(htuch): has_services is currently ignored but will in future support
-# gRPC stub generation.
 def api_proto_library(
         name,
         visibility = ["//visibility:private"],
         srcs = [],
         deps = [],
+        tags = [],
         external_proto_deps = [],
         external_cc_proto_deps = [],
         external_py_proto_deps = [],
         has_services = 0,
         linkstatic = None,
         require_py = 1):
+    relative_name = ":" + name
     native.proto_library(
         name = name,
         srcs = srcs,
         deps = deps + external_proto_deps + _COMMON_PROTO_DEPS,
+        tags = tags,
         visibility = visibility,
     )
+    cc_proto_library_name = _Suffix(name, _CC_SUFFIX)
     pgv_cc_proto_library(
-        name = _Suffix(name, _CC_SUFFIX),
+        name = cc_proto_library_name,
         linkstatic = linkstatic,
         cc_deps = [_LibrarySuffix(d, _CC_SUFFIX) for d in deps] + external_cc_proto_deps + [
             "@com_google_googleapis//google/api:http_cc_proto",
             "@com_google_googleapis//google/api:annotations_cc_proto",
             "@com_google_googleapis//google/rpc:status_cc_proto",
         ],
-        deps = [":" + name],
+        deps = [relative_name],
         visibility = ["//visibility:public"],
     )
     py_export_suffixes = []
-    if (require_py == 1):
-        api_py_proto_library(name, srcs, deps, external_py_proto_deps, has_services)
+    if require_py:
+        api_py_proto_library(name, srcs, deps, external_py_proto_deps)
         py_export_suffixes = ["_py", "_py_genproto"]
 
+    # Optionally define gRPC services
+    if has_services:
+        # TODO: when Python services are required, add to the below stub generations.
+        cc_grpc_name = _Suffix(name, _CC_GRPC_SUFFIX)
+        cc_proto_deps = [cc_proto_library_name] + [_Suffix(_ToCanonicalLabel(x), _CC_SUFFIX) for x in deps]
+        _api_cc_grpc_library(name = cc_grpc_name, proto = relative_name, deps = cc_proto_deps)
+
     # Allow unlimited visibility for consumers
     export_suffixes = ["", "_cc", "_cc_validate"] + py_export_suffixes
     for s in export_suffixes:

api/bazel/envoy_http_archive.bzl

@@ -10,7 +10,6 @@ def envoy_http_archive(name, locations, **kwargs):
         # This repository has already been defined, probably because the user
         # wants to override the version. Do nothing.
         return
-
     loc_key = kwargs.pop("repository_key", name)
     location = locations[loc_key]
 

api/bazel/repositories.bzl

@@ -54,7 +54,7 @@ api_proto_library(
 
 go_proto_library(
     name = "client_model_go_proto",
-    importpath = "client_model",
+    importpath = "github.com/prometheus/client_model/go",
     proto = ":client_model",
     visibility = ["//visibility:public"],
 )

api/envoy/api/v2/BUILD

@@ -34,6 +34,7 @@ api_proto_package(
 api_proto_library_internal(
     name = "discovery",
     srcs = ["discovery.proto"],
+    has_services = 1,
     visibility = [":friends"],
     deps = ["//envoy/api/v2/core:base"],
 )

api/envoy/api/v2/auth/cert.proto

@@ -386,7 +386,8 @@ message DownstreamTlsContext {
 message SdsSecretConfig {
   // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
   // When both name and config are specified, then secret can be fetched and/or reloaded via SDS.
-  // When only name is specified, then secret will be loaded from static resources [V2-API-DIFF].
+  // When only name is specified, then secret will be loaded from static
+  // resources.
   string name = 1;
   core.ConfigSource sds_config = 2;
 }

api/envoy/api/v2/core/grpc_service.proto

@@ -160,7 +160,6 @@ message GrpcService {
   // request.
   google.protobuf.Duration timeout = 3;
 
-  // Field 4 reserved due to moving credentials inside the GoogleGrpc message
   reserved 4;
 
   // Additional metadata to include in streams initiated to the GrpcService.

api/envoy/api/v2/core/health_check.proto

@@ -189,8 +189,7 @@ message HealthCheck {
     CustomHealthCheck custom_health_check = 13;
   }
 
-  reserved 10; // redis_health_check is deprecated by :ref:`custom_health_check
-               // <envoy_api_field_core.HealthCheck.custom_health_check>`
+  reserved 10;
   reserved "redis_health_check";
 
   // The "no traffic interval" is a special health check interval that is used when a cluster has

api/envoy/api/v2/core/protocol.proto

@@ -1,5 +1,3 @@
-// [#protodoc-title: Protocol options]
-
 syntax = "proto3";
 
 package envoy.api.v2.core;
@@ -67,7 +65,7 @@ message Http2ProtocolOptions {
   //
   // NOTE: 65535 is the initial window size from HTTP/2 spec. We only support increasing the default
   // window size now, so it's also the minimum.
-
+  //
   // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the
   // HTTP/2 codec buffers. Once the buffer reaches this pointer, watermark callbacks will fire to
   // stop the flow of data to the codec buffers.

api/envoy/api/v2/lds.proto

@@ -93,10 +93,10 @@ message Listener {
     // bind can only receive connections redirected from other listeners that
     // set use_original_dst parameter to true. Default is true.
     //
-    // [V2-API-DIFF] This is deprecated in v2, all Listeners will bind to their
-    // port. An additional filter chain must be created for every original
-    // destination port this listener may redirect to in v2, with the original
-    // port specified in the FilterChainMatch destination_port field.
+    // This is deprecated in v2, all Listeners will bind to their port. An
+    // additional filter chain must be created for every original destination
+    // port this listener may redirect to in v2, with the original port
+    // specified in the FilterChainMatch destination_port field.
     //
     // [#comment:TODO(PiotrSikora): Remove this once verified that we no longer need it.]
     google.protobuf.BoolValue bind_to_port = 1;

api/envoy/api/v2/listener/BUILD

@@ -28,3 +28,9 @@ api_proto_library_internal(
         "//envoy/api/v2/core:base",
     ],
 )
+
+api_proto_library_internal(
+    name = "quic_config",
+    srcs = ["quic_config.proto"],
+    visibility = ["//envoy/api/v2:friends"],
+)

api/envoy/api/v2/listener/quic_config.proto

@@ -0,0 +1,28 @@
+syntax = "proto3";
+
+package envoy.api.v2.listener;
+
+option java_outer_classname = "ListenerProto";
+option java_multiple_files = true;
+option java_package = "io.envoyproxy.envoy.api.v2.listener";
+option csharp_namespace = "Envoy.Api.V2.ListenerNS";
+option ruby_package = "Envoy::Api::V2::ListenerNS";
+
+import "google/protobuf/duration.proto";
+import "google/protobuf/wrappers.proto";
+
+// Configuration specific to the QUIC protocol.
+// Next id: 4
+message QuicProtocolOptions {
+  // Maximum number of streams that the client can negotiate per connection. 100
+  // if not specified.
+  google.protobuf.UInt32Value max_concurrent_streams = 1;
+
+  // Maximum number of milliseconds that connection will be alive when there is
+  // no network activity. 300000ms if not specified.
+  google.protobuf.Duration idle_timeout = 2;
+
+  // Connection timeout in milliseconds before the crypto handshake is finished.
+  // 20000ms if not specified.
+  google.protobuf.Duration crypto_handshake_timeout = 3;
+}

api/envoy/api/v2/route/route.proto

@@ -342,10 +342,10 @@ message RouteMatch {
     //
     // Examples:
     //
-    // * The regex */b[io]t* matches the path */bit*
-    // * The regex */b[io]t* matches the path */bot*
-    // * The regex */b[io]t* does not match the path */bite*
-    // * The regex */b[io]t* does not match the path */bit/bot*
+    // * The regex ``/b[io]t`` matches the path */bit*
+    // * The regex ``/b[io]t`` matches the path */bot*
+    // * The regex ``/b[io]t`` does not match the path */bite*
+    // * The regex ``/b[io]t`` does not match the path */bit/bot*
     //
     // .. attention::
     //   This field has been deprecated in favor of `safe_regex` as it is not safe for use with
@@ -848,7 +848,7 @@ message RouteAction {
 }
 
 // HTTP retry :ref:`architecture overview <arch_overview_http_routing_retry>`.
-// [#comment:next free field: 9]
+// [#comment:next free field: 10]
 message RetryPolicy {
   // Specifies the conditions under which retry takes place. These are the same
   // conditions documented for :ref:`config_http_filters_router_x-envoy-retry-on` and
@@ -933,6 +933,11 @@ message RetryPolicy {
   // the base interval. The documentation for :ref:`config_http_filters_router_x-envoy-max-retries`
   // describes Envoy's back-off algorithm.
   RetryBackOff retry_back_off = 8;
+
+  // HTTP headers that trigger a retry if present in the response. A retry will be
+  // triggered if any of the header matches match the upstream response headers.
+  // The field is only consulted if 'retriable-headers' retry policy is active.
+  repeated HeaderMatcher retriable_headers = 9;
 }
 
 // HTTP request hedging :ref:`architecture overview <arch_overview_http_routing_hedging>`.
@@ -1097,9 +1102,9 @@ message VirtualCluster {
   //
   // Examples:
   //
-  // * The regex */rides/\d+* matches the path */rides/0*
-  // * The regex */rides/\d+* matches the path */rides/123*
-  // * The regex */rides/\d+* does not match the path */rides/123/456*
+  // * The regex ``/rides/\d+`` matches the path */rides/0*
+  // * The regex ``/rides/\d+`` matches the path */rides/123*
+  // * The regex ``/rides/\d+`` does not match the path */rides/123/456*
   //
   // .. attention::
   //   This field has been deprecated in favor of `headers` as it is not safe for use with
@@ -1286,11 +1291,8 @@ message HeaderMatcher {
   // Specifies the name of the header in the request.
   string name = 1 [(validate.rules).string.min_bytes = 1];
 
-  reserved 2; // value deprecated by :ref:`exact_match
-              // <envoy_api_field_route.HeaderMatcher.exact_match>`
-
-  reserved 3; // regex deprecated by :ref:`regex_match
-              // <envoy_api_field_route.HeaderMatcher.regex_match>`
+  reserved 2;
+  reserved 3;
 
   // Specifies how the header match will be performed to route the request.
   oneof header_match_specifier {
@@ -1304,9 +1306,9 @@ message HeaderMatcher {
     //
     // Examples:
     //
-    // * The regex *\d{3}* matches the value *123*
-    // * The regex *\d{3}* does not match the value *1234*
-    // * The regex *\d{3}* does not match the value *123.456*
+    // * The regex ``\d{3}`` matches the value *123*
+    // * The regex ``\d{3}`` does not match the value *1234*
+    // * The regex ``\d{3}`` does not match the value *123.456*
     //
     // .. attention::
     //   This field has been deprecated in favor of `safe_regex_match` as it is not safe for use
@@ -1356,7 +1358,7 @@ message HeaderMatcher {
   //
   // Examples:
   //
-  // * The regex *\d{3}* does not match the value *1234*, so it will match when inverted.
+  // * The regex ``\d{3}`` does not match the value *1234*, so it will match when inverted.
   // * The range [-10,0) will match the value -1, so it will not match when inverted.
   bool invert_match = 8;
 }
@@ -1379,7 +1381,7 @@ message QueryParameterMatcher {
   // Specifies whether the query parameter value is a regular expression.
   // Defaults to false. The entire query parameter value (i.e., the part to
   // the right of the equals sign in "key=value") must match the regex.
-  // E.g., the regex "\d+$" will match "123" but not "a123" or "123a".
+  // E.g., the regex ``\d+$`` will match *123* but not *a123* or *123a*.
   //
   // ..attention::
   //   This field is deprecated. Use a `safe_regex` match inside the `string_match` field.

api/envoy/api/v3alpha/auth/cert.proto

@@ -386,7 +386,7 @@ message DownstreamTlsContext {
 message SdsSecretConfig {
   // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
   // When both name and config are specified, then secret can be fetched and/or reloaded via SDS.
-  // When only name is specified, then secret will be loaded from static resources [V2-API-DIFF].
+  // When only name is specified, then secret will be loaded from static resources.
   string name = 1;
   core.ConfigSource sds_config = 2;
 }

api/envoy/api/v3alpha/core/protocol.proto

@@ -67,7 +67,7 @@ message Http2ProtocolOptions {
   //
   // NOTE: 65535 is the initial window size from HTTP/2 spec. We only support increasing the default
   // window size now, so it's also the minimum.
-
+  //
   // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the
   // HTTP/2 codec buffers. Once the buffer reaches this pointer, watermark callbacks will fire to
   // stop the flow of data to the codec buffers.